Analysis
-
max time kernel
145s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2023, 03:14
Behavioral task
behavioral1
Sample
82045004321164546.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
82045004321164546.doc
Resource
win10v2004-20230220-en
General
-
Target
82045004321164546.doc
-
Size
528.3MB
-
MD5
6692ccaeebf524525a4eb6de89f6dbc7
-
SHA1
8b350b5c2cf9ee551513218f2255eec461558048
-
SHA256
31ef5f1afc2dd841040db0adbb87b093973173aa58c3cbe76235ec29f1f609ad
-
SHA512
db0af266aa622b8ee855a9ec64d4d1619243980d018370a415672981387ddcac1ad3e6dd53a5be35dbdd58bc55d4cea2a7742aa229e2511a09a2471aaa5522b1
-
SSDEEP
6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x
Malware Config
Extracted
emotet
Epoch4
129.232.188.93:443
164.90.222.65:443
159.65.88.10:8080
172.105.226.75:8080
115.68.227.76:8080
187.63.160.88:80
169.57.156.166:8080
185.4.135.165:8080
153.126.146.25:7080
197.242.150.244:8080
139.59.126.41:443
186.194.240.217:443
103.132.242.26:8080
206.189.28.199:8080
163.44.196.120:8080
95.217.221.146:8080
159.89.202.34:443
119.59.103.152:8080
183.111.227.137:8080
201.94.166.162:443
103.75.201.2:443
149.56.131.28:8080
79.137.35.198:8080
5.135.159.50:443
66.228.32.31:7080
91.121.146.47:8080
153.92.5.27:8080
45.235.8.30:8080
72.15.201.15:8080
107.170.39.149:8080
45.176.232.124:443
82.223.21.224:8080
167.172.199.165:8080
213.239.212.5:443
202.129.205.3:8080
94.23.45.86:4143
147.139.166.154:8080
167.172.253.162:8080
91.207.28.33:8080
188.44.20.25:443
104.168.155.143:8080
110.232.117.186:8080
164.68.99.3:8080
1.234.2.232:8080
173.212.193.249:8080
182.162.143.56:443
160.16.142.56:8080
101.50.0.91:8080
103.43.75.120:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2060 3212 regsvr32.exe 83 -
Loads dropped DLL 2 IoCs
pid Process 2060 regsvr32.exe 1076 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KTlGhUDmHbghChLY.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\XjiGCTT\\KTlGhUDmHbghChLY.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3212 WINWORD.EXE 3212 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2060 regsvr32.exe 2060 regsvr32.exe 1076 regsvr32.exe 1076 regsvr32.exe 1076 regsvr32.exe 1076 regsvr32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3212 WINWORD.EXE 3212 WINWORD.EXE 3212 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3212 WINWORD.EXE 3212 WINWORD.EXE 3212 WINWORD.EXE 3212 WINWORD.EXE 3212 WINWORD.EXE 3212 WINWORD.EXE 3212 WINWORD.EXE 3212 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3212 wrote to memory of 2060 3212 WINWORD.EXE 91 PID 3212 wrote to memory of 2060 3212 WINWORD.EXE 91 PID 2060 wrote to memory of 1076 2060 regsvr32.exe 92 PID 2060 wrote to memory of 1076 2060 regsvr32.exe 92
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\82045004321164546.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\041450.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\XjiGCTT\KTlGhUDmHbghChLY.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1076
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
531.7MB
MD54e7c0febeab7b8257bb5a9a5b41964be
SHA1e113c92df1a8666abd66330a9eb95c8544137db7
SHA256c070bf966a8d0e9a473685e67bf3091ddda302eb9a54425727a325554aa35ed4
SHA5128761395868d23e267bc9f9237698461bede93f8f89c12589662bd996fd1dacab96636998c7e72729f882faac6df12e1640f2e8375c7a66b45668f93f0708c882
-
Filesize
531.7MB
MD54e7c0febeab7b8257bb5a9a5b41964be
SHA1e113c92df1a8666abd66330a9eb95c8544137db7
SHA256c070bf966a8d0e9a473685e67bf3091ddda302eb9a54425727a325554aa35ed4
SHA5128761395868d23e267bc9f9237698461bede93f8f89c12589662bd996fd1dacab96636998c7e72729f882faac6df12e1640f2e8375c7a66b45668f93f0708c882
-
Filesize
867KB
MD504841567d303b897660134f8db50a4e6
SHA1dbdd9eb1e160fbd9a91acadfad738dc456a79621
SHA256ad9b12a5471edf6180c452dcc70156d505ea049f1173175234a9b246c2672438
SHA5123d9be2c4c2233941198ffa809b07c06876bace9a0075aea29d9750d73b0c5a7cfe88e890ad1cfbb8c593ada99eda4c49f27e2f2724d85c9317fd4b17fc0c318d
-
Filesize
531.7MB
MD54e7c0febeab7b8257bb5a9a5b41964be
SHA1e113c92df1a8666abd66330a9eb95c8544137db7
SHA256c070bf966a8d0e9a473685e67bf3091ddda302eb9a54425727a325554aa35ed4
SHA5128761395868d23e267bc9f9237698461bede93f8f89c12589662bd996fd1dacab96636998c7e72729f882faac6df12e1640f2e8375c7a66b45668f93f0708c882